Welcome to the SecAware blog

I spy with my beady eye ...

17 Feb 2018

NBlog February 17 - The I part of CIA

Integrity is a universal requirement, especially if you interpret the term widely to include aspects such as:
  • Completeness of information;
  • Accuracy of information;
  • Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected);
  • Timeliness (or currency or ‘up-to-date-ness’) of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think);
  • Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd’s rules within the DBMS);
  • Honesty, justified credibility, trust, trustworthiness, ‘true grit’, resilience, dependability and so forth, particularly in the humans and systems performing critical activities (another wide-ranging issue with several related controls);
  • Responsibility and accountability, including custodianship, delegation, expectations, obligations, commitments and all that …
  • … leading into ethics, professional standards of good conduct, ‘rules’, compliance and more.
The full breadth of meanings and the implications of “integrity” are the key reason I believe it deserves its place at information risk and security’s high table, along with confidentiality and availability. However, for some people in the field (perhaps a greater proportion of non-native English speakers?), it evidently has a much more restricted meaning, hence the reason for the note to this definition of information security:
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved."

Those additional properties, and more, are to me all part of “integrity” (plus availability in the case of “reliability”).

By the way, Donn Parker has argued for years (decades!) that the CIA triad is deficient. Aside from the vagueness of “integrity” which is at least partially addressed by that note, Donn points out that there are other, materially different properties or requirements or features of information that are also an integral part of the domain, such as ownership and control – and I must say I think he’s right. A significant part of privacy, for example, is the concept that we data subjects own and hence have a right to control or choose how our personal information is used, disclosed, stored, maintained and disposed of, regardless of who actually has possession of it at any moment, and regardless of the fact that we may have chosen to disclose it to them, or failed to prevent them accessing it (e.g. by standing naked at a window!). That, for me, goes beyond CIA, although some would say it falls under responsibility, accountability and trust which is part of integrity, and of course there is a confidentiality angle. Regardless of the official/academic definitions, it’s an intriguing perspective. 

No comments:

Post a Comment